The corporate world is changing - and so are the laws governing it. Over the last couple of years a number of new laws and reports have placed new duties on the shoulders of organisations' directors, managers and employees. These include The King II Report on Corporate Governance; The Electronic Communications and Transactions Bill; The South African Constitution; The Promotion of Access to Information Act (PROATIA); and New Labour Legislation. Subsequently, it comes as no surprise that many companies ask the question: "What do we have to do to be prepared for and compliant with all these new laws and regulations?"
This is not a simple question, and many companies have already spent (and wasted) loads of money trying to answer this. The answer, of course, implies much more than a 'quick fix' of current agreements, contracts and policies. During the last six months Buys Incorporated, amongst others, have completed in-depth studies into the impact the 'new' corporate governance trends will have on business. The main conclusion derived from this research was that four key areas in an organisation are affected by new legislation, namely:
* IT systems (workflow and security).
* Communication (with consumers, suppliers and the public).
* Transactions (with consumers, suppliers and employees).
What is quite clear though, is that the responsibility to comply with this legislation lies squarely with the CFO, CIO, HR and IT executives of your organisation.
Francis Cronjé, Buys Incorporated
IT security and accountability
Liabilities and outsourcing
More and more organisations are trying to escape their liabilities through means of outsourcing. The tendency is to outsource security issues and the responsibilities of improving awareness of information security within the organisation to third parties or managed security service providers (MSSPs). It might seem the obvious solution but it certainly does not leave the organisation without responsibilities towards its security and definitely does not free such an organisation of possible liabilities it might incur.
The King II Report made certain recommendations with regard to the responsibility of risk management within an organisation, and although not a law within itself, this report will definitely serve as a standard against which courts will weigh up certain factors when making their decisions. It was concluded that the total process of risk management, whether it is physical, operational, compliance, human resource, disaster recovery, business continuity or technology risks, remains the responsibility of the company board while management would be accountable to the board for designing, implementing and monitoring the process of risk management, and integrating it into the day-to-day activities of the company.
An organisation would therefore have to be on the alert when outsourcing certain work and not make the mistake by believing that its liabilities would also be outsourced. Should something for instance go wrong, such as where a virus destroys all the organisation's files and the third party/MSSP made no provision for disaster recovery, the board would be held accountable towards shareholders and not the third party/MSSPs.
SLAs and indemnity clauses
Good service level agreements between the organisation and third parties/MSSPs should form an integral part of any organisation's risk management procedure and should ideally contain an indemnity clause. This would ensure that the board, although still the liable party, would at least be able to recover its losses from the third party/MSSP. Important for organisations is to be on the lookout for outsourcing companies that disclaim most of their liabilities, since any such disclaimers, if not carefully considered, will surely bury any organisation.
The Electronic Communications and Transactions Act of 2002 also indicates that suppliers offering goods or services for sale, for hire or for exchange by way of electronic transactions must:
* Make the security procedures policy in respect of payment, payment information and personal information available to consumers on the website where such goods or services are offered.
* Must utilise a payment system that is sufficiently secure with reference to accepted technological standards at the time of the transaction and the type of transaction concerned.
* (Most important of all) a business is liable for any damage suffered by a consumer due to failure by the supplier to comply.
Although it might seem from the above that it is hardly possible for an organisation to escape any form of liability, an organisation is definitely capable of reducing its liability and subsequent costs.
The question remains how?
Risk strategy policies
The King Report made recommendations to the effect that the company board must, in liaison with the executive directors and senior management, set risk strategy policies that must be clearly communicated to all employees to ensure its incorporation into the organisation. These policies would be:
* An IP policy.
* A communications policy.
* An IT security policy.
* A document management policy.
* An information management policy.
Apart from addressing the technological risks, these policies also address other risks that form part of an organisation. Such an example can be found in the Labour Relations Act, which states that the dismissal of an employee is only justified once the employee's misconduct leads to the irretrievable breakdown of the relationship between the employer and employee. In order to dismiss the employee, it is incumbent upon the employer to establish three things:
* That there was a rule (Policy) that was broken by the employee, for example employees may not give their access codes (passwords) to non-employees.
* That the rule was reasonable.
* That the rule had been brought to the attention of the employee.
Another example would be the effect of different statutes on an organisation's legal liability, and how such an organisation deals with certain legal risks, legislation such as:
* The Financial Intelligence Services Bill.
* The Financial Advisory and Intermediary Services Bill.
* Income tax legislation (eg, use of electronic invoices).
* Promotion to Access of Information Act (PAIA).
By implementing document management and information management policies, an organisation's legal risks would be substantially reduced, and it will further ensure that an organisation's documents will be stored in such a way, that it will have the necessary evidential weight in a court afterwards. It would also ensure that organisations have the necessary manuals available (for example PAIA manuals).
Although it is by no means a way of escaping liability, outsourcing certain responsibilities can reduce corporate liability through implementing sound principles. By pursuing such agreements, organisations should ask themselves the following:
* Do we have proper service level agreements;
* Have we carefully considered the outsourcing company's capabilities;
* Do we have the necessary corporate governance policies in place?